gpt4 book ai didi

c++ - 从 x64 进程获取另一个进程的 32 位 PEB

转载 作者:搜寻专家 更新时间:2023-10-31 00:58:47 29 4
gpt4 key购买 nike

我有一个 64 位进程需要读取 Wow64 进程的 32 位 PEB。

我可以通过 NtQueryInformationProcess 获取它,但我意识到 Wow64 进程有两个 PEB(64 位和 32 位)并且 NtQueryInformationProcess 返回对应于调用者的位数(在我的例子中是 64 位),正如@Anders 在此解决方案中评论的那样:

How to get the Process Environment Block (PEB) from extern process?

这是我的场景:我正在尝试从 x64 进程内部获取 Wow64 进程的 32 位 PEB。任何涉及改变该场景的建议都是无用的。我也知道不建议将这种解决方案用于生产,这不是我的意图。

有什么想法吗?

提前致谢。

最佳答案

如果您阅读 NtQueryInterformationProcess() MSDN 上的文档,有一条评论说:

It appears that when querying a process running under wow64 in (at least) windows Vista the PebBaseAddress returned is actually for the 64-bit modules loaded under wow64. From some initial investigations I've done it appears that the PEB which pertains to 32-bit modules can be found by taking the PebBaseAddress and subtracting one page (0x1000) from its value. I have minimally confirmed this hypothesis by inspecting the process's TIB's and following their PEB pointers back to an address which, so far, has always shown to be -0x1000 from the PebBaseAddress value returned by this function.

更新:我只是found this code声明上述内容不适用于 Windows 8 之后的版本,但确实提供了替代解决方案:

#define TEB32OFFSET 0x2000

void interceptNtDll32(HANDLE hProcess)
{
THREAD_BASIC_INFORMATION tbi;
NTSTATUS ntrv;
TEB32 teb32;
void *teb32addr;
PEB_LDR_DATA32 ldrData;
PEB32 peb32;
LIST_ENTRY32 *pMark = NULL;
LDR_DATA_TABLE_ENTRY32 ldrDataTblEntry;
size_t bytes_read;
HANDLE hThread = getThreadHandle(hProcess);

/* Used to be able to get 32 bit PEB from PEB64 with 0x1000 offset but
Windows 8 changed that so we do it indirectly from the TEB */
if(!hThread)
return;

/* Get thread basic information to get 64 bit TEB */
ntrv = NtQueryInformationThread(hThread, ThreadBasicInformation, &tbi, sizeof(tbi), NULL);
if(ntrv != 0){
goto out;
}

/* Use magic to find 32 bit TEB */
teb32addr = (char *)tbi.TebBaseAddress + TEB32OFFSET; // Magic...
ntrv = NtReadVirtualMemory(hProcess, teb32addr, &teb32, sizeof(teb32), NULL);
if(ntrv != 0 || teb32.NtTib.Self != (DWORD)teb32addr){ // Verify magic...
goto out;
}

/* TEB32 has address for 32 bit PEB.*/
ntrv = NtReadVirtualMemory(hProcess, (void *)teb32.ProcessEnvironmentBlock, &peb32, sizeof(peb32), NULL);
if(ntrv != 0){
goto out;
}

...

关于c++ - 从 x64 进程获取另一个进程的 32 位 PEB,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34736009/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com